valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
e5f36dd146
SigmaHQ/rules/windows/sysmon/sysmon_unsigned_image_loaded_into_lsass.yml
Thomas Patzke 373424f145 Rule fixes 
Made tests pass the new CI tests. Added further allowed lower case words
in rule test.
2020-02-20 23:00:16 +01:00

25 lines
678 B
YAML
Raw Blame History

title: Unsigned Image Loaded Into LSASS Process
id: 857c8db3-c89b-42fb-882b-f681c7cf4da2
description: Loading unsigned image (DLL, EXE) into LSASS process
author: Teymur Kheirkhabarov, oscd.community
date: 2019/10/22
modified: 2019/11/13
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
tags:
- attack.credential_access
- attack.t1003
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 7
Image|endswith: '\lsass.exe'
Signed: 'false'
condition: selection
falsepositives:
- Valid user connecting using RDP
status: experimental
level: medium
Reference in New Issue View Git Blame Copy Permalink